What is RYUK RANSOMWARE?

 

What is Ryuk ransomware ?

First seen in 2018, Ryuk ransomware is probably one of the most dangerous ransomware out there targeting both public and private sector, especially in healthcare sector. It uses open source malware to move through system to conduct ransomware attacks. 'Ryuk' is named after the famous Japanese anime villain, who was a threat to businesses and organizations.

In 2018, large organizations began noticing that they were being targeted specifically by Wizard Spider(Hacking Group) they disabled the computer systems of United Health Care, one of the largest healthcare providers in the world. Some of the most high-profile Ryuk hacks in 2018 included the Onslow Water and Sewer Authority (OWASA) in Florida and the Tribune Publishing Company. 

In the CrowdStrike 2020 Global Threat Report, Ryuk accounts for three of the top 10 largest ransom demands of the year: USD $5.3 million, $9.9 million, and $12.5 million. Ryuk has successfully attacked industries and companies around the globe

Ryuk ransomware is one of the highly sophisticated ransomware because it possessed greater capabilities to target large enterprises and organizations.

 

 

t

 

How does Ryuk ransomware works?

 

It's been observed that recently discovered campaign of Emotet-TrickBot-Ryuk was used to deploy and initiate the Ryuk ransomware.

Emotet deploys TrickBot to steal data and spread Ryuk, there are phases in which Ryuk ransomware was executed,

The first stage of the attack starts with a weaponized Microsoft Office document attached to a phishing email. This file contains a malicious, macro-based code. Once the user opens the document, the malicious file will run cmd and execute a PowerShell command. The PowerShell command attempts to download the Emotet payload.

Emotet starts within outlook.exe, where a phishing email was received. Following that, winword.exe opens the malicious attachment from the email and executes a cmd to run PowerShell. This command downloads and executes the Emotet payload.

PowerShell Emotet dropper obfuscates command line. The PowerShell instance attempts to download the Emotet payload from different malicious domains after “building” the download URLs from multiple chunks. It names the payload 379.exe (SHA1: B521fe7ff72e68165ff767d7dfa868e105d5de8b) and executes it.

PowerShell script attempts to download the Emotet payload from the following domains:

• efreedommaker[.]com

• retro11legendblue[.]com

• oussamatravel[.]com

• cashcow[.]ai

• shahdazma[.]com

 

When the Emotet payload executes, it looks to continue its malicious activity by further infecting and gathering information on the affected machine. It initiates the download and execution of the TrickBot trojan by communicating with and downloading from a pre-configured and remote malicious host.

 

TrickBot is classified as a banking trojan, but the banking-related capability is just one of its many abilities. TrickBot is able to communicate with a C2 server as well as collect and exfiltrate sensitive data ranging from banking credentials, usernames and passwords, and personal data. An attacker with this information can easily destroy trust in a business, wreck the reputation of a brand, or compromise individuals and cost companies money.

Once the machine is infected with TrickBot, the attackers check to see if the target machine is part of an industry they are looking to target. If it is, they download an additional payload and use the admin credentials stolen using TrickBot to perform lateral movement and reach the assets they wish to infect.

The attacker log into a domain controller and copies tools into a temporary directory. It copies tools like AdFind.exe (the Active Directory enumeration utility), a bat script that uses AdFind to save output into text files, and a copy of the 7-Zip archive utility.

After the attacker gathers a list of domain controllers and targeted servers in the environment, they test if there is a connection available using ping.exe and mstsc.exe (RDP).

Once the attacker has a connection, they start to spread the Ryuk payload through the network via Windows administrative shares (MITRE ATT&CK Technique T1077). These are hidden shares like Admin$, IPC$, Share$ and C$ that are enabled by default on Windows hosts for administrative purposes,

The attacker drops a few files in the hidden share$, including a .bat script COPY.bat. This script lists one or more of the targeted machines that the attacker located, a copy of psexec.exe that is signed and verified, and the Ryuk dropper drops Ryuk.exe.

The attacker runs the .bat script, which uses the psexec.exe file with the stolen admin credentials to gain a remote shell and copy the malicious Ryuk payload to a temporary folder in the remote hosts listed in the text file comps{number}.txt. Execution of the .bat script.

Once this is complete, the Ryuk payload is executed using PsExec. The attack flows, beginning with the malicious email and ending with the Ryuk execution.

Ryuk Ransomware delivered, the ransomware dropper Ryuk.exe checks the system architecture and drops its main payload accordingly.

Once Ryuk infects the machine, it starts to encrypt files and spreads through the network to infect more machines. This increases the damage and the likelihood that the victim will be willing to pay the ransom. This threat, due to its advanced capabilities and spreading ability, can cause a great deal of damage to an organization, from loss of money to brand degradation. 

 

High-profile Ryuk Ransomware Attacks:

October 2018:  Ryuk targeted large organizations Onslow Water and Sewer Authority (OWASA), and disrupted their network.

December 2018: Tribune Publishing Newspapers became victims, affecting users like the Los Angeles Times.

2019-2020: Ryuk targeted a range of hospitals in California, New York, and Oregon. It also targeted British and German healthcare facilities, causing struggles in accessing patient records and even affecting critical care.

Prevention and mitigation

Most of the problems start with clicking on email attachments. Educate your team on how to correctly handle suspicious emails to prevent initial downloading or dropping malware. In order to protect against lateral movement, do not use privileged accounts, avoid RDPs without properly terminating the session, do not store passwords in plain text, deploy good authentication practices, disable unnecessary share folders, and change the names of the default share folders used in your organization. 

Make sure you systems are patched, especially CVE-2017-0144, to prevent the propagation of TrickBot and other malware. Disable macros across the environment. Follow Microsoft’s security advisory update on improving credentials protection and management in your organization.

Detecting this kind of sophisticated malware would be harder for traditional Antivirus as it can evade detection easily. It requires next generation Antivirus or EDR technology to detect this. EDR can perform behavioral analysis using ML and AI to identify malicious behaviour by analyzing differences in normal everyday activities.

Contributors:

1. Rajat Bhatt
2. Komal Desodhia, 2nd year, CSE, IIIT PUNE.
3. Dr. Nitesh K Bhardwaj, Assistant Professor, Dept. of CSE, IIIT Pune.

4. Dr. Bhupendra Singh, Assistant Professor, Dept. of CSE, IIIT Pune.